[aklug] DNS service impacting: DNS Flag Day for EDNS - Feb 1, 2019

Royce Williams royce at tycho.org
Sun Jan 13 16:09:19 AKST 2019 

A follow-up to my heads-up about EDNS errors, with test results.

I got the ISC tool for bulk testing running, and checked for EDNS
compatibility for all Alaskan-looking domains.

Of 9727 domains that produced some kind of test result, *1017 Alaskan
domains* were affected in some way. Note that the tester treats things like
this as errors as well, which almost always need to be fixed, but aren't
EDNS-specific:

- if the domain has no NS records at all
- if one of the NS records listed for the domain isn't reachable
... etc.

I've published the results to this raw directory:

*    https://www.techsolvency.com/alaskan-domains-list/edns/
<https://www.techsolvency.com/alaskan-domains-list/edns/>*

... which has three files:

* A list of domains with at least one error
* The test results for those domains
* The results for all domains, regardless of status

I'll leave these up and accessible until at least March 1st.

I'll also update the list a time or two before the deadline - but don't
wait for that while working. Instead, use the tester yourself directly to
verify any fixes:

    https://ednscomp.isc.org/ednscomp

-- 
Royce


On Sat, Jan 12, 2019 at 7:25 AM Royce Williams <royce at tycho.org> wrote:

> All,
>
> If you run a DNS domain, read this:
>
>     https://dnsflagday.net/
>
> Major quotes:
>
>
> *The current DNS is unnecessarily slow and suffers from inability to
> deploy new features. To remediate these problems, vendors of DNS software
> and also big public DNS providers are going to remove certain workarounds
> on February 1st, 2019.*
>
> *This change affects only sites which operate software which is not
> following published standards.*
>
> *[...]*
>
> *The main change is that DNS software from vendors named above will
> interpret timeouts as sign of a network or server problem. Starting
> February 1st, 2019 there will be no attempt to disable EDNS as reaction to
> a DNS query timeout.*
>
> *This effectively means that all DNS servers which do not respond at all
> to EDNS queries are going to be treated as dead.*
>
> [end quotes]
>
> Basically, there are mechanisms out there to retry *without* EDNS when an
> EDNS query times out after a certain tim. *These fallback mechanisms are
> going to be removed, which will make the Internet significantly slower for
> anyone trying to reach your domain(s).*
>
> Please check your major domains and a sampling of your minor ones (based
> on platform).
>
> Resources:
>
> * Tester: https://ednscomp.isc.org/ednscomp
> * Background: https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS
> * Bulk scanner for ISPs:
> https://gitlab.labs.nic.cz/knot/edns-zone-scanner/
>
> --
> Royce
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.aklug.org/pipermail/aklug/attachments/20190113/3127fa47/attachment.html>

More information about the aklug mailing list